Enforcers hijack European privacy policy


Thuiswinkel.org, the Dutch organisation for webshops and co-founder of Ecommerce Europe, argues in favour of advisory board with seats for consumers and business world The Dutch Data Protection Authority (DPA) has allocated itself – together with its European sister organisations – too large a role in interpreting European privacy legislation. These supervisory enforcers, united in the Article 29 Working Group, sometimes even come up with their own interpretations of the legislation and subsequently even start checking for observance. In short, the supervisory enforcers are sometimes manifesting as a court of justice and at others times as a legislator. According to Thuiswinkel.org, such a course of affairs is completely at odds with the basic principles of democratic government. In order to tackle this problem, the organisation that lobbies for webshops wants to see an advisory board set up, with seats for consumers and the business world.

Various aspects of the European Union’s General Privacy Directive left room for interpretation. In practice, however, this empty space is increasingly being filled up by the Article 29 Working Group, whose members are national supervisory enforcers such as the DPA. During the past few years this Working Group has on numerous occasions opted for a strict – sometimes even unreasonable, in the opinion of Thuiswinkel.org – interpretation of the legislation. For example, they stretched the personal data concept to include IP-addresses. Moreover, the Working Group took the initiative and drew up additional rules, without any verification by the European Commission and the European Parliament. Nor was there any consultation with other stakeholders, such as consumers and the business world. For example, the concept of ‘data controller’ was so loosely defined that many businesses had to go to a lot of expense in designing processes to protect personal data. Thuiswinkel.org diagnosed that in fact, the Article 29 Working Group has developed into a state within a state.

Further deterioration
The European Parliament is shortly to decide on the Draft of the Data Protection Regulation of Viviane Reding, Euro commissioner for Justice. This regulation will replace the current General Privacy Directive. Thuiswinkel.org predicts that the situation will deteriorate even further if the draft regulation comes into force unaltered. Because European commissioner Reding wants to give the European Data Protection Board (EDPB), successor to the Article 29 Working Group, in which once again the national supervisory enforcers will get an extremely prominent role, even more powers than its predecessor. This will only serve to make the existing ‘democratic deficit’ even bigger.

More influence for citizens and businesses
Thuiswinkel.org has written a Positioning Paper drawing attention to the above-described problem. The lobby organisation proposes setting up an advisory board, the European Data Protection Council. The idea is that the board will be consulted by the legislator and the supervisory enforcers about all privacy issues. The board should also be able to independently issue advice on privacy. Apart from the chairman of the EDPB, and a number of privacy experts, the board would also have seats for representatives of consumer organisations and lobby organisations from the business world. This will ensure that the parties subject to the privacy legislation also have a voice in matters, as well as solving the problem of the excessive omnipotence of the supervisory enforcers.

Download Position Paper Data Protection Regulation